fix(core): handle invalid email

Author: balazsorban44

packages/next-auth/src/core/index.ts

@@ -9,6 +9,7 @@ import { SessionStore } from "./lib/cookie"
 import type { NextAuthAction, NextAuthOptions } from "./types"
 import type { Cookie } from "./lib/cookie"
 import type { ErrorType } from "./pages/error"
+import { parse as parseCookie } from "cookie"
 
 export interface RequestInternal {
   /** @default "http://localhost:3000" */
@@ -68,7 +69,7 @@ async function toInternalRequest(
       method: req.method,
       headers,
       body: await getBody(req),
-      cookies: {},
+      cookies: parseCookie(req.headers.get("cookie")),
       providerId: nextauth[1],
       error: url.searchParams.get("error") ?? nextauth[1],
       host: detectHost(headers["x-forwarded-host"] ?? headers.host),

packages/next-auth/src/core/routes/signin.ts

@@ -30,12 +30,25 @@ export default async function signin(params: {
       return { redirect: `${url}/error?error=OAuthSignin` }
     }
   } else if (provider.type === "email") {
-    // Note: Technically the part of the email address local mailbox element
-    // (everything before the @ symbol) should be treated as 'case sensitive'
-    // according to RFC 2821, but in practice this causes more problems than
-    // it solves. We treat email addresses as all lower case. If anyone
-    // complains about this we can make strict RFC 2821 compliance an option.
-    const email = body?.email?.toLowerCase() ?? null
+    /**
+     * @note Technically the part of the email address local mailbox element
+     * (everything before the @ symbol) should be treated as 'case sensitive'
+     * according to RFC 2821, but in practice this causes more problems than
+     * it solves. We treat email addresses as all lower case. If anyone
+     * complains about this we can make strict RFC 2821 compliance an option.
+     */
+    let email = body?.email?.toLowerCase()
+
+    if (!email) return { redirect: `${url}/error?error=EmailSignin` }
+
+    email = email
+      .split(",")[0]
+      .trim()
+      .replaceAll("&", "&")
+      .replaceAll("<", "&lt;")
+      .replaceAll(">", "&gt;")
+      .replaceAll('"', "&quot;")
+      .replaceAll("'", "&#x27;")
 
     // Verified in `assertConfig`
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion

packages/next-auth/tests/email.test.ts

@@ -0,0 +1,59 @@
+import { createCSRF, handler } from "./lib"
+import EmailProvider from "../src/providers/email"
+
+const originalEmail = "balazs@email.com"
+
+test.each([
+  [originalEmail, `,<a href="example.com">Click here!</a>`],
+  [originalEmail, ""],
+])("Sanitize email", async (emailOriginal, emailCompromised) => {
+  const sendEmail = jest.fn()
+
+  const { secret, csrf } = createCSRF()
+
+  const email = {
+    original: emailOriginal,
+    compromised: `${emailOriginal}${emailCompromised}`,
+  }
+
+  const { res } = await handler(
+    {
+      providers: [EmailProvider({ sendVerificationRequest: sendEmail })],
+      adapter: {
+        getUserByEmail: (email) => ({ id: "1", email, emailVerified: null }),
+        createVerificationToken: (token) => token,
+      } as any,
+      secret,
+    },
+    {
+      prod: true,
+      path: "signin/email",
+      requestInit: {
+        method: "POST",
+        body: JSON.stringify({
+          email: email.compromised,
+          csrfToken: csrf.value,
+        }),
+        headers: { "Content-Type": "application/json", Cookie: csrf.cookie },
+      },
+    }
+  )
+
+  if (!emailCompromised) {
+    expect(res.redirect).toBe(
+      "http://localhost:3000/api/auth/verify-request?provider=email&type=email"
+    )
+    expect(sendEmail).toHaveBeenCalledWith(
+      expect.objectContaining({
+        identifier: email.original,
+        token: expect.any(String),
+      })
+    )
+  } else {
+    expect(res.redirect).not.toContain("error=EmailSignin")
+
+    const emailTo = sendEmail.mock.calls[0][0].identifier
+    expect(emailTo).not.toBe(email.compromised)
+    expect(emailTo).toBe(email.original)
+  }
+})

packages/next-auth/tests/lib.ts

@@ -1,3 +1,4 @@
+import { createHash } from "crypto"
 import type { LoggerInstance, NextAuthOptions } from "../src"
 import { NextAuthHandler } from "../src/core"
 
@@ -7,17 +8,16 @@ export const mockLogger: () => LoggerInstance = () => ({
   debug: jest.fn(() => {}),
 })
 
+interface HandlerOptions {
+  prod?: boolean
+  path?: string
+  params?: URLSearchParams | Record<string, string>
+  requestInit?: RequestInit
+}
+
 export async function handler(
   options: NextAuthOptions,
-  {
-    prod,
-    path,
-    params,
-  }: {
-    prod?: boolean
-    path?: string
-    params?: URLSearchParams | Record<string, string>
-  }
+  { prod, path, params, requestInit }: HandlerOptions
 ) {
   // @ts-ignore
   if (prod) process.env.NODE_ENV = "production"
@@ -27,11 +27,7 @@ export async function handler(
       params ?? {}
     )}`
   )
-  const req = new Request(url, {
-    headers: {
-      host: "",
-    },
-  })
+  const req = new Request(url, { headers: { host: "" }, ...requestInit })
   const logger = mockLogger()
   const response = await NextAuthHandler({
     req,
@@ -49,3 +45,14 @@ export async function handler(
     log: logger,
   }
 }
+
+export function createCSRF() {
+  const secret = "secret"
+  const value = "csrf"
+  const token = createHash("sha256").update(`${value}${secret}`).digest("hex")
+
+  return {
+    secret,
+    csrf: { value, token, cookie: `next-auth.csrf-token=${value}|${token}` },
+  }
+}